Windows Kernel Use-After-Free CVE-2026-45657: Critical RCE Risk
CVE-2026-45657 is a critical use-after-free flaw in the Windows Kernel scoring 9.8 CVSS, allowing unauthenticated remote code execution on Windows 11 and Windows Server 2022/2025.
TL;DR
- CVE-2026-45657 is a use-after-free (CWE-416) in the Windows Kernel that enables unauthenticated remote code execution.
- CVSS base score: 9.8 (Critical) - the highest-risk tier; no privileges, no user interaction, network-reachable.
- Affected systems include Windows 11 versions 23H2 through 26H1 and Windows Server 2022 and 2025 (including Server Core).
- No confirmed in-the-wild exploitation at time of writing; not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
- Immediate action required: apply the patch from the Microsoft Security Response Center advisory and follow the hardening steps below.
What is CVE-2026-45657?
CVE-2026-45657 is a use-after-free vulnerability in the Windows Kernel that allows an unauthorized attacker to execute arbitrary code remotely. The flaw means the kernel references a memory object after it has already been freed, creating a window for attackers to plant malicious data at that freed address and redirect execution flow - all without any authentication.
Use-after-free bugs (CWE-416) are among the most dangerous memory-safety issues because the attacker effectively writes the narrative of what the freed memory contains. In kernel space, that narrative runs at the highest privilege ring, making the potential impact absolute: full system compromise.
Who is affected?
The following Microsoft products are confirmed affected according to the CVE-2026-45657 record:
- Microsoft Windows 11 version 23H2 (both consumer and enterprise builds)
- Microsoft Windows 11 Version 24H2
- Microsoft Windows 11 Version 25H2
- Microsoft Windows 11 version 26H1
- Microsoft Windows Server 2022
- Microsoft Windows Server 2025
- Microsoft Windows Server 2025 (Server Core installation)
Organizations running any of these releases on internet-facing or internally networked machines should treat patching as their highest-priority workload until remediated.
How severe is it?
CVSS 3.1 base score: 9.8 / 10 (Critical). The full vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C.
Breaking that down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over any network |
| Attack Complexity (AC) | Low | No special conditions or race timing needed |
| Privileges Required (PR) | None | Attacker needs zero existing access |
| User Interaction (UI) | None | No victim click or action required |
| Confidentiality / Integrity / Availability | High / High / High | Full system compromise possible |
| Exploit Maturity (E) | Unproven | No public proof-of-concept at time of scoring |
| Remediation Level (RL) | Official Fix | Patch is available |
The combination of AV:N, AC:L, PR:N, and UI:N produces a near-perfect base score. In practice this means any network path to an affected machine - VPN, exposed RDP gateway, a vulnerable kernel-level network service - could be a viable attack surface. The scope is Unchanged (S:U), meaning the impact stays within the vulnerable component, but since that component is the kernel, the entire host is at risk.
Is it being exploited?
No confirmed in-the-wild exploitation has been reported as of the publication date (2026-06-09). CVE-2026-45657 is not listed in the CISA Known Exploited Vulnerabilities catalog, and the CVSS temporal metric shows Exploit Maturity as Unproven (E:U), meaning no reliable public proof-of-concept exploit exists at the time of scoring.
That said, a kernel use-after-free with a 9.8 score and no authentication barrier is exactly the profile that attracts rapid weaponization after public disclosure. Patch windows measured in hours, not weeks, are realistic for vulnerabilities of this class. Treat the current lack of active exploitation as a limited head start, not a reason to delay.
How to fix and mitigate it
-
Apply the official Microsoft patch immediately. No specific fixed build number is repeated here to avoid version drift; always pull the current guidance directly from the MSRC advisory page.
-
Prioritize internet-facing and privileged Windows Server hosts first. Windows Server 2022 and 2025 systems exposed to the internet or hosting domain controllers carry the highest blast radius.
-
Audit and restrict inbound network access to the Windows Kernel attack surface. Block unnecessary inbound traffic at the perimeter firewall and host-based Windows Firewall until the patch is applied:
# Example: block all inbound connections on a server until patch window
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block
# Re-enable only required inbound rules after patching
- Enable Windows Defender Credential Guard and Memory Integrity (HVCI) on supported hardware. Hypervisor-Protected Code Integrity makes it significantly harder for kernel memory corruption bugs to reach stable exploitation.
# Check HVCI status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
-
Isolate unpatched systems via network segmentation until remediation is complete. Move them behind additional NAT or micro-segmentation controls to reduce direct exposure.
-
Enable automatic updates on Windows 11 endpoints to shrink future patch latency.
How to detect exposure
Check your Windows build version to confirm whether systems fall in the affected range:
# Run on each host; compare output against affected version list
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsBuildNumber
Monitor kernel-mode crash dumps. A use-after-free being probed may generate bugcheck codes such as 0x19 (BAD_POOL_HEADER) or 0xC5 (DRIVER_CORRUPTED_EXPOOL) in %SystemRoot%\Minidump. Unexpected kernel crashes on otherwise stable servers warrant investigation.
Review Windows Event Log for anomalous network connections targeting kernel-level services:
# Check Security log for unexpected inbound network events
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 5156 } | Select-Object -First 50
Deploy or query your EDR platform for memory-integrity violation alerts on ntoskrnl.exe and related kernel modules. Indicators to watch include unexpected pool allocation failures and anomalous kernel thread creation from network-facing processes.
Frequently asked questions
Does CVE-2026-45657 require the attacker to be on the same network?
No. The CVSS vector shows AV:N, meaning the attack originates over any network, including the public internet. No local access or adjacency is required, which is a primary reason the score reaches 9.8.
Is a login or user interaction needed to exploit CVE-2026-45657?
Neither. The vector specifies PR:N (no privileges required) and UI:N (no user interaction). An unauthenticated remote attacker can trigger the use-after-free in the Windows Kernel without any victim action.
Is CVE-2026-45657 actively exploited in the wild?
As of the publication date, CVE-2026-45657 is not listed in the CISA Known Exploited Vulnerabilities catalog, and no confirmed in-the-wild exploitation has been publicly reported. That status can change quickly, so monitor advisories regularly.
Which Windows releases are not affected by CVE-2026-45657?
The official advisory lists Windows 11 versions 23H2 through 26H1 and Windows Server 2022 and 2025. Older platforms such as Windows 10 and Windows Server 2019 are not mentioned, but check the Microsoft Security Response Center advisory directly to confirm your specific build.
